On most serious websites guidelines to make passwords include not to use pet names, birth dates, wedding dates and words on dictionaries because they are too easy to guess and can be easily cracked to get access to your account.
What really amazes me is that after you pick a (hopefully) hard to guess password and possibly not easy to remember the very system asks you for a “security question” to help you case you forget your hard-to-guess password and these questions are ofter as stupid as your pet name, which is precisely the kind of thing that you should avoid as password.
What is the use of having a hard password but leave a door open for people to crack in when they know your pet name or the time you were born? Come on! For this level of security you could as well use your pet name as password, at least the system doesn’t hint the cracker saying it wants a pet’s name.
Now, how can we turn this to any kind of advantage? By creating a password that is about impossible to guess and easy to remember.
Step 1 - Pick something easy to remember
The first thing to do is to take a word, a sentence, the first verse of a song, a line on a movie, the name of a book you like or whatever you might find easy to remember. For this example I’ll get the Beatles song “Strawberry Fields Forever”.
Step 2 - Pick just the letters that make more sense to you
In any phrase, there are letters that are more obvious than others, this is more ore less the same to everybody, but a little randomness might appear on this step. some simple choices could be
- strbfever
- stbfld4ever
But you could as well take something more deterministic, like the first and last letter of every word or use some numeric shorts for words.
- syfsfrer
- syfs4er
Yes, deterministic, but who could guess this if you don’t tell what rule you are using?
Step 3 - Shake thinks a little bit
Get used to some transformations of letters that make sense for you. For instance you can use ‘@’ instead of ‘a’. You can use ‘$’ or ‘z’ instead of s. You can use ‘!’ instead of ‘i’. Chose half a dozen transformations that make some sense to you.
To add some more spice the second letter (not character) will be caps.
After the transormation ’syfs4er’ could become ‘$yFs4er’.
Now you can use this string as both your password and your security question, which makes sense because both grant you the same access and it is absurd having two different passwords to the same thing.
If you forget your password and the system ask you what is the answer to “What is your favorite song?”, it would be an easy to remember word or phrase and a couple of transformations that are the same throughout all your passwords and as long as you keep this rules to yourself you can even said it loud what is your favorite song, but I’d chose a song that is not my favorite, just to add a little bit of extra security.
5 Comments
I’m ashamed to say that I never thought of it that way, but you’re right. Luckily though when you do need to reset your password, it usually emails it to you instead of letting you reset it right there.
@ses5909 -
Security questions are actually security holes. It shouldn’t be used unless the answer is really, absolutely, completely unguessable.
Now, if the site asks you to reset your password instead of sending it to you, that is better. Usually means that the site itself doesn’t keep your password, only a cryptographed version of it, and that is why you have to reset it.
I guess I overlook the part on security question when I wrote the post “a fool proof way to remember passwords effortlessly”. I don’t really trust security question. Most of the time, I would rather have the password emailed to me than to answer the security question.
Great tip, Guilherme. Like ses5909, I didn’t really think of security questions in this way until reading this. But, you’re absolutely right.
However, I don’t think that many sites actually keep your password on file. Most use a cryptographed version, I think.
Still, it’s always better to be more secure in situations like this.
@Damien Oh -
Well, that is a problem. As I said in the comment above, if the password is emailed to you is because it was stored unencrypted and that is a problem on itself.
I’d rather be emailed a URL where I am able to change it, this because if the email is stored encrypted it can’t be mailed to me. So I prefer it that way.
Anyway, I don’t like security questions either, I see them plainly as security holes.
@Adam Snider -
However, I don’t think that many sites actually keep your password on file. Most use a cryptographed version, I think.
Still, it’s always better to be more secure in situations like this.
I have seen many sites emailing you your password when you forget it, that is clear evidence that is stored in plain text and I consider that really bad. Still, many others do save them cryptographed.
The big problem of keeping plain text passwords in their servers is that if someone hacks in and gets it, it will certainly be useful for other places as well, unless you keep a different password for each server.
Trackbacks